CMMC: Navigating the complexities of compliance

Manufacturers and distributors working with the Department of Defense (DoD) or any of their prime contractors, need to pay close attention to new requirements that are being implemented.  Failure to comply with new standards or audits may result in the loss of business opportunities and revenue. On the bright side, those that act now can gain a competitive advantage or, at the least, reduce business interruption.

Let’s take a look at the history of DoD cybersecurity requirements and where we are today with the Cybersecurity Maturity Model Certification (CMMC).

Prior to November of 2020, companies working with the DoD were expected to perform a self-assessment of their environment against a published cybersecurity standard (NIST 800-171) and enter their assessment score into a portal referred to as the Supplier Performance Risk System or SPRS. This continues today, and in addition to performing a self-assessment, DoD contractors, including manufacturers, are expected to have a System Security Plan (SSP) and Plan of Actions and Milestones (POAM) developed for any areas of noncompliance to present to the DoD or prime contractors when requested.  Elliott Davis has assisted many customers with understanding and meeting reporting requirements, as they can be confusing.  While difficult to understand, these requirements are critical because they provide evidence on steps the organization has implemented or plan to implement to meet compliance and secure the organization’s ability to continue to conduct business with the DoD.

On November 30, 2020, the DoD updated their supply chain regulations to increase the accountability of defense contractors and manufacturers, as it relates to cybersecurity.  Three new Defense Federal Acquisition Clauses (DFARS) were added to help the DoD illuminate the current state of cybersecurity in their supplier network and let defense contractors know that more stringent requirements and audits were on the way when bidding (or participating in) new DoD contracts.

At the beginning of 2021, a new DFARS rule requirement to implement CMMC into the DoD supplier network was introduced. New DoD contracts will require prime contractors and all subcontractors to be CMMC compliant.  Fortunately, there are different levels of compliance that will be required based on the types of information an organization utilizes, as it relates to the DoD.  Any organization that handles what is referred to as controlled unclassified information (CUI) will be required to be evaluated against the 110 controls in the NIST 800-171 framework, plus an additional 20 controls that have been added specific to the CMMC.

It’s important to note the new CMMC framework and audit process are still ‘in-progress’.  However, all firms in the defense ecosystem should be evaluating and determining what level of CMMC compliance is required for their organization and how to become compliant.  If an organization fails to receive certification on their first CMMC audit, they will lose critical time and revenue preparing for and conducting reassessments.

Elliott Davis recommends coordinating efforts with an independent accredited third party auditor to acquire certification.  Many cybersecurity consultants are training and preparing to best assist their clients.  Elliott Davis is proud to note that we have one of the first Provisional Assessors for CMMC nationwide.  Through our training and previous experience, we recommend that all organizations begin with a gap assessment.  A third party auditor can provide assistance in understanding the self-assessment technical requirements and options, as well as timing.

The second step to compliance is to engage a provider to perform a full NIST 800-171/CMMC readiness assessment.  Elliott Davis assists organizations at this key step in the development of a SSP and POAM to prepare for CMMC compliance. It is likely that an organization will have significant remediation to complete in order to be compliant with the CMMC framework.  Not only is it important to begin planning and remediating shortcomings immediately, it can be of great significance to partner with a consultant that can assist in recommendations and best practices in procedure and policy development.

Organizations will begin applying for certification in the second half of 2021.  We believe early adopters and those in compliance will have a significant competitive advantage and experience limited business interruption. If this all seems a bit overwhelming and confusing, we understand.  It is a lot to digest.  Please consider scheduling a 30-minute discussion with the Elliott Davis cyber team if you would like clarification on these new requirements and what it may mean for your business.  Please contact us to set up a meeting.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.